[asterisk-bugs] [JIRA] (ASTERISK-26606) tcptls: Incorrect OpenSSL function call leads to misleading error report
Kevin Harwell (JIRA)
noreply at issues.asterisk.org
Mon May 22 15:45:03 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-26606?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Harwell updated ASTERISK-26606:
-------------------------------------
Target Release Version/s: 14.5.0
> tcptls: Incorrect OpenSSL function call leads to misleading error report
> ------------------------------------------------------------------------
>
> Key: ASTERISK-26606
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-26606
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/General
> Affects Versions: 13.8.0, GIT
> Reporter: Bob Ham
> Assignee: Joshua Colp
> Severity: Minor
> Target Release: 13.16.0, 14.5.0
>
>
> In the function [handle_tcptls_connection() in tcptls.c|https://github.com/asterisk/asterisk/blob/a6e5bae3ef9fe498927e0b5f9318a64c9ff101a9/main/tcptls.c#L633], a call is made to SSL_connect() or SSL_accept() and the return value is checked with ERR_get_error(). However, [the man page|https://linux.die.net/man/3/ssl_get_error] for both these functions specify that SSL_get_error() should be used.
> While trying to diagnose an error, I was getting the message
> {{Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)}}
> Modifying the code to use SSL_get_error() instead of ERR_get_error() gives the correct (although no more helpful) message:
> {{Problem setting up ssl connection: error:00000005:lib(0):func(0):reason(5)}}
> In fact, the return value from SSL_get_error() should be checked explicitly. The test code that I added was as follows:
> {code}
> if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
> int sslerr = SSL_get_error(tcptls_session->ssl, ret);
> const char *msg;
> ast_log(LOG_ERROR, "Problem setting up ssl connection: %s\n",
> ERR_error_string(sslerr, err));
> switch (sslerr) {
> case SSL_ERROR_NONE: msg = "None"; break;
> case SSL_ERROR_ZERO_RETURN: msg = "Zero return"; break;
> case SSL_ERROR_WANT_READ: msg = "Want read"; break;
> case SSL_ERROR_WANT_WRITE: msg = "Want write"; break;
> case SSL_ERROR_WANT_CONNECT: msg = "Want connect"; break;
> case SSL_ERROR_WANT_ACCEPT: msg = "Want accept"; break;
> case SSL_ERROR_WANT_X509_LOOKUP: msg = "Want X509 lookup"; break;
> case SSL_ERROR_SYSCALL:
> if (ret == 0) {
> msg = "Syscall EOF";
> } else if (ret == -1) {
> ast_log(LOG_ERROR, "Underlying BIO error: %s\n",
> strerror(errno));
> msg = "Syscall underlying BIO error (see above)";
> } else {
> msg = "Syscall other";
> }
> break;
> case SSL_ERROR_SSL: msg = "SSL"; break;
> default: msg = "[Unknown]"; break;
> }
> ast_log(LOG_ERROR, "Error from ssl_setup: %s\n", msg);
> {code}
> Which produces the following output:
> {code}
> [Nov 15 23:29:49] ERROR[2672]: tcptls.c:611 handle_tcptls_connection: Problem setting up ssl connection: error:00000005:lib(0):func(0):reason(5)
> [Nov 15 23:29:49] ERROR[2672]: tcptls.c:625 handle_tcptls_connection: Underlying BIO error: Connection reset by peer
> [Nov 15 23:29:49] ERROR[2672]: tcptls.c:635 handle_tcptls_connection: Error from ssl_setup: Syscall underlying BIO error (see above)
> {code}
> Obviously my switch statement is a hack but it would be good to have proper checking of the return value of SSL_get_error(), as directed by the man page documentation, in some wrapper function.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list